CVE-2023-51767

Publication date 24 December 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

7.0 · High

Score breakdown

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

Read the notes from the security team

Status

Package Ubuntu Release Status
openssh 23.10 mantic Ignored
23.04 lunar Ignored end of life, was ignored [2024-01-02]
22.04 LTS jammy Ignored
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored
openssh-ssh1 23.10 mantic Ignored
23.04 lunar Ignored end of life, was ignored [2024-01-02]
22.04 LTS jammy Ignored
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release

Notes


seth-arnold

openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment.


mdeslaur

The researchers used a modified version of sshd to make this vulnerability easier to demonstrate. There is no indication the openssh package in Ubuntu can be exploited in the same way. The upstream OpenSSH developers have chosen to ignore this issue as this vulnerability isn't exploitable in practice, and needs to be addressed by the hardware platform, not in OpenSSH itself. Since there is nothing actionable here for Ubuntu, I am marking this issue as ignored.

Severity score breakdown

Parameter Value
Base score 7.0 · High
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H